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A portable, hand-held personal identification device (6) and method for providing secure access to a host facilit>' (4) includes a 
biometric sensor system capable of sensing a biometric trait of a user that is unique to the user and providing a biometric signal indicative 
of the sensed biometric trait. A processing unit responsive to the biometric signal is adapted to compare the biometric signal with stored 
biometric data representative of the biometric trait of an enrolled person that is unique to the enrolled person, and to provide a verification 
signal only if the biometric signal corresponds sufficiently to the biometric data to verify that the user is the enrolled person. The verification 
signal (41) includes information indicative of the enrolled person or the device. A communication unit, including a transmitting circuit (28), 
is adapted to transmit the verification signal to a host system (30). 
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PERSONAL IDENTIFICATION SYSTEM AND METHOD 

Background of the Invention 
The invention relates to a personal identification system and method for 
5 allowing access to secure facilities. 

Some security systems, such as home security systems and door locks, 
require a user to enter a fixed code into a device at a host facility before allowing a 
person access to the facility. Other systems, such as automated teller machines 
(ATM), require a person to submit an authorized card and also to enter a fixed 
10 code that is associated with the person's bank accounts. Automobile alarms, locks, 

and disabling devices, and garage door openers can be operated by pressing a 
button on a small remote device to transmit a coded signal to a receiving unit on 
the automobile or garage. 

Each of these security systems can be operated by any person who is in 
1 5 possession of the fixed code, the card or the transmitting device, as the case may 

be. Therefore, each of these systems is inherently insecure. Where absolute 
security is essential, some host facilities employ a biometric sensor to measure a 
biometric trait of a person requesting access to the host facility. The biometric trait 
is a unique identifier of a person, and can be, for example, a person's fingerprint, 
20 voice pattern, iris pattern, or the like. The requesting person also enters other 

identifying information about himself The measured biometric trait is compared 
with stored biometric data associated with the identified person and, if there is a 
match, the requesting person is allowed entry or access to the host facility. 

In presently available biometric systems, each authorized person registers 
25 with the host facility by providing a sample of their biometric trait, for example, by 

having his fingerprint optically scanned into a host system data base. Each host 
facility must have a biometric sensor, access to the database of registered persons' 
biometric trait registration data, and a processing system capable of quickly 
searching the database and conducting the comparison to verify a person's identity. 
30 However, if the set of authorized persons is large, such a system would require a 

huge database to store the fingerprint images of all the authorized persons, and the 
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iae„.,f.^do„ process would beoon-e slower as U,e se. of aumorized persons 
increases. 

^ummTiri' invention 
according .o one of *e invenUon. a por.ab.e persona. idenUf,ca.ion 

aevice for provide, secure access to a hos. facUU, includes a 
sys«m capable of sensing a biomcric „ai. of a user fta, .s un,que ,o .he user »d 
; " din/a bion.e,ric si,na> indicaUve .bereof A processing circu„ respons.ve .o 
L bio^etric signa. is adapted ro compare .be bion,e.ric signa w,U. s^red 
bion,e.ric da« represen.,ive of *e bion,e.ric „ai. of an enroUed per»n *a. 
indicative of U.e idenU.y of fte enrolled person. The processor provdes a 

.gna, on. if .e biomcric ^t^^;::^:::^^ 

biometric data to verify that the user IS the enrolled person. . .^^j^^i^, 

*u A^^Ar-r- A communication unit, inciuaing 
i«; indicative of the enrolled person or the device. A commun 

circui. is .dap.ed .o — *e verif.ca.ion signa, .o a ren,o.e hos. 

'"""""■in another aspec.. *e invention fea.ures a per^na, identif.ca.ion s,s,en. 
comprising a biometric sen^r configured «, exttac. a represen«..o„ of a 
JILL, of a user; a processor configured .o veHfy *e user. .dent.^^d 

• „f a renresenution of a biomelric mn. exnaCed from a user 
n uDon a comparison ot a represemduun v. 

■ f.k,hinm«ricrai.; and a ttansminer configured .o 
„i,h a swred lepresenOtion of .he b.ome.r.c tta.t, 

^i. a verificaaon signal indicative of a successful ver,fication of *e user 

"^"Emb^dimen. may include one or more of ti.c foUowing fea.ur=s. 
,5 processor may be conf.g.«d .o process signals received from a global pos,.,on,ng 

^JcGPS receiver. "Hre processor may be configured .o deHve «P — - 

g L Jation of *e GPS receiver) f^m ti,e signals received f^om *e GPS 
lller. The processor may be programmable .o prompt U,e user for add,.,onal 
verification information when .he GPS r«eiver is positioned at a particular 

" '"""""The system may include a user input configured .o enable a us« » e^ter 

„ip infomuttion, and wherein the processor is configured .0 process mformation 
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received from the user. The transmitter may be further configured to transmit 
signals representative of stored trip information. 

The biometric sensor, the processor, and the transmitter may be housed 
within a portable, hand-held housing. The system may include an input device 
5 mounted inside a vehicle and coupled to the vehicle's power system, and wherein 

the input device is adapted to receive the verification signal from the transmitter 
and to enable the user to turn on the vehicle only upon receipt of the verification 
signal. The housing may have the form of a pocket-sized security badge. The 
housing may be configured to receive a graphical representation of the user. 

10 The system may include an automatic door locking device coupled to a 

vehicle door (or trunk) and adapted to unlock the door (or trunk) upon receipt of 
the verification signal. The system also may include a receiver. The processor 
may be operable to switch the system from a low power operation- to a normal 
power operation when the receiver receives a power-up signal from a host system. 

15 The system also may include a memory configured to store the representation of 

the biometric trait. The memory may be housed within a portable housing 
separable from the biometric sensor, processor and transmitter. 

The communication unit preferably is adapted for remote communication 
with the host system via a wireless communication medium. The device can 

20 further include a display and a keypad. 

The biometric sensor system can include a fingerprint sensor, a voice 
sensor, or any other type of biometric sensor. The fingerprint sensor can include a 
platen adapted for placing a finger thereon. The fingerprint sensor can further 
include an optical image sensor, which may include a complementary metal oxide 

25 semiconductor (CMOS) optical sensor, a charge coupled device (CCD) optical 

sensor, or any other optical sensor having sufficient resolution to provide a signal 
indicative of a fingerprint image. In the embodiments with an optical sensor, the 
platen would include an optical platen, and the biometric sensor may also include a 
lens focusing light fi-om the platen onto the optical sensor. The fingerprint sensor 

30 can alternatively include a direct contact sensor device, such as a capacitive sensor 

chip or thermal sensor chip. In these embodiments, the platen would be the siu-face 
of the sensor chip. 
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The processing unit can include a processor circuit, a memory and an 
encoder, wherein the memory stores the biometric data, and wherein the 
verification signal includes an encrypted signal encrypted by the encoder. In one 
embodiment, the encoder includes an encoding circuit, and the verification signal 
further includes an ID code indicative of the enrolled person or the device. 

In another embodiment, the encoder comprises an encryption algorithm 
programmed into the processor. The encr>'ption algorithm employs a private key 
indicative of the enrolled person or the device. In this embodimem, the 
communication unit can further include a receiver circuit. The memory can further 
store an ID code indicative of the enrolled person or the device. The processor 
unit can be further adapted to first cause the transmitter circuit to transmit an ID 
code signal indicative of the ID code to the host system. . The receiver circuit can 
be adapted to receive a host response signal transmitted by the host system in 
response to the ID code signal. The processor unit employs the encryption 
algorithm and the private key to encrypt the host response signal to create the 
verification signal, and causes the transmitter circuit to transmit the verification 
signal to the host system only if the biometric signal corresponds sufficiently to the 
biometric data to verify that the user is the enrolled person. 

In either of these embodiments, the memory can be located in a removable 
plug-in module, and the personal identification device further includes a socket 

adapted to receive the module. 

According to another aspect of the invention, a portable, hand-held personal 
identification device for providing secure access to a host facility includes a 
housing. A fingerprim sensor system in the housing is capable of sensing a 
fingerprint of a user and providing a fingerprim signal indicative thereof The 
fingerprint sensor system includes a platen on a surface of the housing adapted to 
receive a finger. A communication unit in the housing is adapted for wireless 
communication with a separate host system. The communication unit includes a 
transmitting circuit and a receiving circuit. A slot in the housing receives a 
removable smart card that includes a memory. The device can be combined wdth 
the smart card. The memory in the smart card stores a fingerprint template 
representative of the fingerprint of an enrolled person, and an ID code and a 
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personal encryption key being associated with the device. A processing circuit in 
the device is adapted to cause the ID code signal from memory to be transmitted 
by the transmitting circuit. The processing circuit is further adapted to cause a host 
response signal received by the receiving circuit signal from the host system in 
response to the ID code signal to be encrypted according an encrj'ption algorithm 
employing the personal encryption key and to cause the encrypted host response 
signal to be transmitted by the transmitting circuit only if the fingerprint signal 
corresponds sufficiently to the fingerprint template to verify that the user is the 
registered person. 

According to yet another aspect of the invention, a method of providing 
secure access to a host facility includes the step of registering one or more persons 
with the host facility, including storing a unique ID code and a public encr>'ption 
key for each registered person. The method also includes receiving a first 
transmission comprising a first user signal at the host facility, generating and then 
transmitting a random number signal fi^om the host facility only if the first user 
signal represents one of the stored ID codes, receiving a second transmission 
comprising a second user signal at the host facility, decrypting the second user 
signal with the public encryption key associated with the registered person who is 
also associated with the stored ID code represented by the first user sign£d, and 
providing access to the host facility only if the decrypted second user signal 
represents the random number. 

According to still another aspect of the invention, a method of providing 
access to a secure host facility only to registered persons includes registering one or 
more registered persons vnth the host system. Registering each registered person 
includes storing an ID code associated only with a portable hand-held device under 
the control of that registered person. The method also includes transmitting an ID 
code signal from a portable hand-held device to a host facility of the host system. 
The ID code signal represents an ID code associated with the transmitting device. 
Other steps include generating, at the host facility, a random number signal 
representing a random number in response to the ID code signed only if the ID 
code signal is representative of the ID code of the device controlled by one of the 
registered persons, and retrieving, with the host system, a public key associated 
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wiU. *e one of ,he registered persons only if *e ID c«.e signal is repre^nuuve of 
code of *e one .he devices con„o«ed by *e one of .he regis.ered persons^ 
ZZZ<^ pubhc .ey can inc.ude re„iev.ng *e pubUc Key fton, a «-ed *.rd 
!X :ier S.PS include Uansn,i„ing .he rando. nun^her signal .on, *e ..s^ 
n^^i, «, *e .ransn^ning device, and receiving .he rando. nun,ber s.gna, *e 
Iling device. The n.e*od a.so includes genera.ing a u.r flngerpn. s.gn. 
^rese^ing a fingerprin. image of a user's finger being p aced on a p, n 
„ansmi.ing device, and comparing, wi* .he «ansn,i«ing dev,ce, .he user 
fingerprin. signal .o a fingerprin. .empla.e s.ored in .he ttansm.mng dev,ce. 
Trl U,e fingerprin. «mp.a.e represent a fi„g«prin. image of a pe.^n v, o .s 
»i* .he — g device. 0*.r s.eps inOude encryp.ing *e ^don, 
nlber signal wi.h .he .ansmining device. *e random number s.gna, bemg 
I^d according .o an encr>.p.ion a..ori.hm employing a priva. Key 

*e —ing device, — ing .he encrypted random numb^ s,gna. 
I fl,e .ransmitdng device .o *e hos. facili.y only if *e « 
rien^d by *e user fingerprin. signal corresponds sufficien.ly .o *e finger^. 
Z^r^ by .he fingerprin. «mp,a.e .o verify *a. a,e user ,s *e enrolled 
"I LrypUng *e encryp«d random number signal wi.h .he hos. sys.e„^^ 
^^ng Zoying .he re.rieved public .ey, and providing *e user access o .he 
Ly if aecP.- encryp^d random number signal represent .e 

*e ID code sigmU, .ransmining *e random number signal, and 
.^smilLg *e en:ryp«d random m«nber signal each can — 
a tireless .ansmission. Transmining .he ID cc«.e signal, ""^ 
number signal, and —ng .he encryp.ed random 

ft^er include «ansmining via a. leas, one of a modem, a cable access TV .me, 
and a computer communication medium. 

,n e. ano^er aspec. of ti.e inven.ion, a me.hod of provid.ng a secure 
^>„.c«on a. a hos. faciliry only «> a regi^ered person includes 
^ *e hos. facility by spring an ID code associa.ed only w.* a ponab e 
.gis.ered device con.o,led by *e registered person, learning a " 
:„l.er of *e regis»red device, spring an e„cryp.on .ey assoc.a«d «.e 
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registered device and associating the encryption key of the registered device with 
the stored ID code. The method also includes generating a user fingerprint signal 
representing a fingerprint image of a user's finger being placed on a platen of a 
portable user device, comparing, with the user device, the user fingerprint signal to 
5 a fingerprint template stored in the user device, the fingerprint template 

representing a fingerprint image of an enrolled person who is enrglled with the user 
device, and generating an access signal with the user device only if the fingerprint 
image represented by the user fingerprint signal corresponds sufficiently to the 
fingerprint image represented by the fingerprint template to verify that the user is 

10 the enrolled person, the access signal including an ID code associated only with the 

user device, button press information representing a requested function, and 
encrypted data encrypted with an encryption key associated with the user device, 
the encrypted data including a synchronization counter associated with the user 
device. The method then includes transmitting the access signal from the user 

15 device to the host facility, determining, with the host facility, if the ID code in the 

access signal matches the stored ID code, retrieving the encryption key of the 
registered device if the match is successful, employing the encryption key of the 
registered device to decrypt the encrypted data and determine the synchronization 
counter of the user device, comparing the synchronization counter of the user 

20 device with the synchronization counter of the registered device, and providing the 

requested function represented by the button press data only if the synchronization 
counter of the user device matches the synchronization counter of the registered 
device. 

In another aspect, the invention provides a method of accessing a secure 
25 host facility, including sensing a biometric trait of a user that is unique to a user 

with a biometric sensor system of a portable device, and providing a biometric 
signal indicative of the biometric trait; comparing, with the portable device, the 
biometric signal with stored biometric data representative of the biometric trait of 
an enrolled person that is indicative of the identity of the enrolled person; 
30 providing a verification signal only if the biometric signal corresponds sufficiently 

to the biometric data to verify that the user is the enrolled person; and transmitting 
the verification signal and an ID code signal to a remote host system, wherein the 



BNSDOCID: <WO ^9956429A1 J_> 



10 



15 



20 



25 



30 



PCTAJS99/08990 

WO 99/56429 



8 



ID ^ signal is indicative of ID code associa^d only »iU, U,e ponabie dev... 

LtL « *e hos. sysic. p.ov,des access .o *e secure facim, .n «spon«» *e 

rlcaUon signa. on,, if Hos, faci.i.y de— *a. persona, dev.ce assc«,a«d 

with the ID code belongs to a registered person. 

The sys.cn, can be employed to provide secure access .o a vanety of 

diffe«nt types of host facilities. The system can be used to replace sec,..ty 

Z.oVing .ey card entry, r.xed code en.y. or a — 
L fixed code entry, which are currently employed, for -^^-J^^:^2L 
gate and garage door opener, burglar alam, systems, pom. of -MJ^^^"— 
Ltel roon, .OCRS, and the UUe. The system car, also be configured for u^».th 
automotive remote Icey entr,- (RKE, systems, automotive alarm systems, and . 

automotive immobilizers. ceveral 
The personal identification device and system of U.e ,nven„on has several 
advanu-ges The sys«m is very private. Persons' biomemc daU, such as a 

ventymg registered 
the host facilities store only an ID code ana a p . ^h. nublic key 

J tv.e serial number of the device, and the public Key 

nerson The ID code may be the senai numoci « 

r: retained by a trusted *ird party. The private Key used by the dev.ce .s 

r "rsonal identification device is compact, being about the same si« as 
, „onicpaser With advances in technology, it could be made even smaller, 
an electromc pager. W,m that all the information 

The persona, identificat.cn ^ ^^f^^ ,ey. ar,d 

^ is associated with the user, the ID^J^ J ^^^^ 
the fingerprint template, is stored m a smart card, wlucn 

identical devices having .he image capture eiectronics, process,ne crcu.,. 
Identical ocviwc e, , -ru o ^«aV,ies the user to switch devices 

commurucation module and po,ver supply. Th.s enables the 

v,hen one is won, out or b™ken without having to re-registe. 

The host system can be insulled at host facihueswrth a m,mmal 

expend^e com^ current systems employing fmgerprh,, iden..flca,,on for 
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security. The biometric sensor is installed in each personal identification device, 
rather thzm with the host facility. This configuration also makes retrofitting 
existing security systems for use with the personal identification device a relatively 
simple procedure. The point of contact is with the personal identification device, 
which makes the present system more feasible for use at exposed, public locations, 
such as with automated teller machines, parked automobiles, and gate entries, 
where the weather and vandalism can be problems. This also makes the system of 
the invention more sanitary than other systems that require a person to operate a 
public terminal, keypad, or fingerprint scanner. 

Because each user carries his own fingerprint template in the personal 
identification device, users can "roam" to many different applications and host 
facilities without the need to enroll the template at each site. They only need to 
register prior to use. This can be done over the phone or over computer 
communication lines, such as the Internet, if only medium level security is 
required. 

The user has total control over the procedure for accessing a host facility. 
The ID cannot be read unless the user presses the fingerprint reader. The random 
nimiber transmission and the encrypted random number transmission cannot be 
"scanned" as the random numbers are different each time access to a host facility is 
requested. The personal identification device can be used in conjunction with 
conventional telephone lines or computer network communication lines without any 
risk of theft. 

Personal identification devices could be sold via any retail outlet, for 
example, as a shrink wrap product. As the units are manufactured with tmique ID 
codes and private keys there is no need to control the sale in any way. 

Unlike prior art biometric identification systems, the user is already enrolled 
by the first use of the personal identification device. This completely eliminates 
the delays and problems associated with enrolling Isirge numbers of users and 
storing each user's biometric data. 

Other features and advantages will become apparent fi-om the following 
description, including the drawings and the claims. 
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p^j^f p.o.r4ptmn of the Drawings 
no ^ is a Hock diagnon of a security systen, according .o .he inve„.,o„. 
p,0. 2 is a bloc, diagram of ano*er .mbodiment of a security system 

""°"r r^luve View of a ..sona, ide„ti«ca.io„ device according to 

^°~:;:B.:rr.O a. tespccti. .on. Side, top and .tto. v.ews 
of an embodiment of a personal idenUf.ca.iondev,ce. 

A./.^t anrl <tide views of another 
FIGS 5A and 5B are respective front and side vie 

— :ri::rrr::::— tofa^^^ 

FIG. 7 ,s a flo« diagram iUustrartng an embodiment of a method of 
• , hna facility with a personal identification device. . 
~ d.^ il— ^ another embodiment of a method of 

accessing a host facility with a personal identification devc. 

F,G 9 is a schematic diagram of an embodtment of the processor un 
HOS. lOA and . OB are a perspective and bloc, diagrams, respecttvely. of a 

•^nrn of . .^^^ --^ » 

a user's pocket. 

Prtni''''* rtptcription 
Referring to FIG. 1. a security system 2 provides access ,0 one or more 
rrrrles 4 only to registered persons. A host facUity 4 may be a bank. 

^ure host facthues y automobile, a home security system, 

a store, a military base, a computer system, an 

a .ate or any other facility where it is derired to resurtct acce^ to selected 
L^^dl Bach registered person uses a banery powered, portable ^ 
Itification device CPID) 6, which communicates with a — " ' 
u u farilitv 4 PID 6 is small enough to carry on ones person, 

^sil:::! - — An camp, of a PIO . is shown be.g 

held in the palm of a man's hand 10 in FIG. 3. 
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PID 6 includes a biometric sensor. In the described embodiment, a 
biometric sensor 1 1 includes an optics unit 12 having a CMOS optical sensor 
imaging device 14, and an exposed optical platen 15. Imaging device 14 can also 
be a CCD imaging device. A lens (not shoA\'n) may also be used to focus an image 
from a surface of platen 15 onto imaging device 14. PID also includes a 
processing unit 16. Processing unit 16 includes a processor circuit 18, an external 
memory 20 and may include an analog-to-digital converter circuit (A/D) 22. Some 
CMOS optical sensors provide a digital output signal, which eliminated the need 
for A/D 22. PID 6 further includes a communication unit 24, which has a 
transmitter module 26 and a receiver module 28. 

Memory 20 stores information that is specific to processing unit 16. 
Memory 20 stores an ID code that is set in PID 6 by the manufacturer. The ID 
code of a device, which may be the device serial number, is unique to each device. 
Memory 20 also stores a fingerprint template that is generated by processing unit 
16 fi-om a fingerprint image signal provided by optics 12 unit when an individual 
first enrolls into PID 6, as will be described in detail below. That fingerprint 
image signal is representative of an image of a fingerprint of the enrolled 
individual. The fingerprint template is a data set that is representative of features 
of the enrolled individual's fmgerprint. The fingerprint template is normally not 
changed once it is established in memory 20. In some embodiments, PID 6 may 
include a serial port (not shown), which can be used to plug into a computer to 
update or change the fingerprint template. For security purposes, PID 6 would be 
used to perform an identification verification before allowing such a change. 

Processing unit 1 6 also includes an encryption algorithm incorporated into 
an encoder 23, In the embodiment illustrated in FIG. 1, the encryption algorithm is 
programmed into processor circuit 18. A private key that is stored in memory 20 
is used with the encryption algorithm for encryption. The private key can be set 
into memory by the manufacturer, and is specific to each PID 6. Different PIDs 6, 
which have different processing units 16, will typically have different private keys. 
The encryption algorithm, on the other hand, can be the same for all PID's 6. 

Host facility 4 is part of a host system 30. Host system 30 will typically be 
bank ATM systems, point of sale systems, and the like. Host system 30 also 
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includes a host processing unit 32, which has a processor circuit 34 and memory 
36 Communication unit 8 in host facility 4 includes a receiver module 38 and a 
transmitter module 40. Host processing unit 32 may be located with host facUuy 4, 
or may be located at a remote location, where it may also serve other host faalmes 

4 in a distributed network 42. 

Memory 36 stores ID codes of enrolled individuals who have registered 
with host system 30. Memory 36 also stores public keys associated with respective 
ones of the stored ID codes. By employing the correct public key associated with a 
specific ID code, host processor circuit 34 can decrypt a signal that has been 
encrypted according to the encryption algorithm and personal key associated with 
the specific ID code, in a mamier known in the encryption arts. The public key 
can also be stored with a trusted third party 39, which provides this service for 
several host systems in a known manner. 

Signals 41 may be transmitted between PID 6 and host facility via any 
5 wireless transmission method. Transmission can be via RP, infrared, induction, 

sound, or the like. In this embodiment, PID communication unit 24 and host 
communication unit 8 will normally have a short transmission range of 
approximately a meter or less, however, longer ranges can be used as well. Hard- 
wire transmission methods can also be employed, either alone or in combination 
,0 with a wireless transmission method. For example, transmission can employ dial 

tone modulation frequency (DTMFXtone transmission) via a conventional phone 
system employ a cable TV line in conjunction with the cable remote control 
system, or employ a computer communication medium, such as the Internet or a 
private network. PID 6 can employ more than one transmission/reception mode, 
25 such as, for example, an RF and a DTMF unit. 

In another embodiment of a security system 2A, shown in FIG. 2, a PID 6A 
includes most of tiie features of PID 6 described above with reference to FIG. 1 , 
with some significant differences. >^ote that features that system 2 has in common 
^^dtil s>'stem 2A are labeled witii tiie same reference numerals in FIGS. 1 and 2, 
which convention is continued in the remainder of tiie FIGS, and in the following 
description. One difference is that communication module 24A lacks receiver 
module 26. Also, encoder 23A includes an encoder chip, for example, tiie HSC200 
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or HSC300 KEELOQ® Code Hopping Encoder, available from Microchip 
Technology, Inc. of Chandler, Arizona, thai contains the encryption algorithm. 
Security system 2A includes a host facility 4A in which host processing unit 32A is 
located at the same site as host facility 4A. Host system communication unit 8A 
5 includes a receiver module 38, but does not include a transmitter module. 

The embodiment illustrated in FIG. 2 will typically be employed with 
systems such as garage door openers, automobile securit>' systems, door locks, and 
the like. As such, PID communication module 24A will have a longer transmission 
range than communication module 24 in the embodiment illustrated in FIG. 1 . 
10 Encoder 23 A includes an ID code, which may be a serial number of 

encoder 23 or PID 6A. Encoder 23A also includes a synchronization counter, an 
encryption key and an encryption algorithm that employs the encryption key. Host 
system 4A must "learn" the ID code and the synchronization counter for each PID 
6A which is used to access a function of host system 4A. Host system 4A must 
15 also know the encryption key. 

Referring now to FIGS. 4A-4D, one embodiment of a PID 6B, which 
includes all the features also shown in FIG. 1, includes a housing 44 similar in size 
to a personal pager or a small cellular telephone. A front side 46 includes a 
keypad 48 for entering data and commands, and a liquid crystal display 50 for 
20 displaying data being entered with keypad 48 and for displaying status signals to 

the user. Keypad 48 can be eliminated in some models where programmability is 
not required. Platen 1 5 is located at the top of PID 6B, and is contoured for a 
finger. Platen 1 5 is also slightly recessed in housing 42 to provide some protection 
from scratching. A back side 56 of PID 6B includes a battery cover (not shown) 
25 and apertures for a DTMP speaker (not shown). A serial port can be included 

under the battery cover. 

Housing 42 includes a slot 52 for receiving a smart card 54, which is shown 
in shadow being fully inserted into slot 52 in FIG. 4A. Smart card 54 includes 
external memory 20, and can be removed from one housing 42 and used in a new 
30 housing 42. Because memory 20 contains all the personal information, i.e., the 

private key, the ID code, and the fingerprint template, the smart card can be used 
with a different PID housing 42 without having to re-enroll the user or re-register 
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user ion wi* hos, systems. Some n,ode<s in wh,ch memory 

hard-^dred inside lousing 42 would no. include smart card slot 52. 

F,OS 5A and 5B i»us,ra« an embodiment of a PID 6C in wh,ch iceypad 48 
and smart card slot 52 a« no, included. P.D 6C does, however, include platen 15. 
display 50. and a belt dip 58, which could be included in any model. 

no 6 illustrates an embodiment of a PID 6D which is struCu^d s,m,.ar ,0 
embodiment illustrated in F,0. 2, for uses such as a garage ''--P'-J 
automobile security system. PID 6D .ncludes platen ,5 at the top — 
and three fttnCion bunons. For an automobile security system . e fun«»n b^ 
^„ be a driver door bunon 60, a trtmlc bunon 62 and an alarm button 64^ Bunons 
60. 62. and 64 can be adapted for use with other host systems havtng d.fferent 

'""'"optics unit 12 can be an image sensor module available from Fingerscan 
PTY Ltd (an Iden.ix company), of Sydney. Australia, as part of Otetr F3 OEM K,t. 
The entire F3 OEM Kit manual, published in 1998. is incorporated herem by 

Platen 15 and imaging device ,4 have a usable area of about 16 mm X 
8 mm imaging device .4 in the F* OEM W. is a CMOS device that provdes a 
Lr^utput eolprising an analo. f.ngerprint image signal represenUng an^^g^ 
of a fi Jr placed on platen 15. The fingerprint image signal ,s commun cated .o 
L. .6 Via a six-wire connector 68. which is shown in a ci.u.. dtagram 

""^Z Uprising unit .6 is also included in the F3 OEM Kit. Referring 
again to FIG. 9, processor circuit 18 includes an SH7034 32.bit RISC 
:::processor 70, made by Hitachi of ,apan. Microprocessor 70 commun,ca.s 
I 8-bit data bus 72 with external memory 20 and 22, and over comrol 
U,es 74, 76 with optics unit 12. The SH7034 microprocessor 70 has a 64 Kb 
interna, programmable read only memory (PROM) engine and an internal 4 Kb 

•Static random access memory (SRAM). , . , , 

in the PROM resides a Fingerscan Biometrics Engine (FBE), which mcludes 
algorithms for capturing and processing fingerprint image signals. These 
algonmm f „„„,oximatelY 140 Kbytes to be converted mto 

aleorithms allow a fmger miage of approximately i^u rv y 

aigonuuiia . , 1 on Kvtf.«: This size saves memory 

a fmger model, or template, of approximately 120 bytes. This size 
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and improves the speed of processing by decreasing the time it takes to transfer 
finger models to and from the internal memor>'. The FBE includes special 
instruction sequences to optimize the following operations: image capture and 
background rejection; video signal filtering and digitizing; template matching; 
5 finger presence detection; false finger detection; and power on self test. 

A/D 22 converts the analog video signal from optics unit 1 2 into digital 
data that is stored in memory for subsequent use by processor circuit 18. Memor>' 
20 also stores the finger template of the user who is enrolled in PID 6, and also 
stores custom wTitten code. Microprocessor 70 controls and has access to 1 Mbyte 

10 in DRAM 78 -70) and 512 Kbytes of external flash memory in PROM 80. DRAM 

78 includes two NEC 424400 chips, and PROM 80 is an AMD 29F040 chip. 

In one embodiment of communication unit 24, transmitter module includes 
an induction loop data link, which is configured as a short-range (< 0.5 m) wireless 
modem, operating at 1200 Baud, at 70 KHz carrier frequency, using amplitude shift 

1 5 keying modulation. The protocol is half duplex, carrier detect multiple access 

(modified aloha) and the software includes a CRC 16 packet error correction 
method. A processor included in transmitter module is based on a P1C16C72 
device. The transmit current is typically 1 mA. 

In the embodiment illustrated in FIG. 9, encoder 23 resides in code 

20 programmed into processing circuit 18. However, as discussed above, other 

embodiments may base encoder 23 on a dedicated encoder chip, such as the 
HSC200 or HSC300 KEELOQ® Code Hopping Encoder. A PID may include 
encryption code residing in processor circuit 18 and also include an encoder chip so 
that PID can combine the fimctions of the embodiments illustrated in FIGS. 1 and 

25 2 in a single unit. These encoder chips combine a 32-bit hopping code generated 

by a non-linear encryption algorithm, with a 28-bit serial number and 6 information 
bit to create a 66-bit transmission stream. The length of the transmission 
eliminates the threat of code scanning, and the code hopping mechanism makes the 
transmission unique, thus rendering code capture and resend schemes useless. 

30 An owner of PID 6 must first "enroll" into the unit. Enrollment is the 

process of scanning a finger to create an image which is stored as a fingerprint 
template in memory 20. The user enrolls on the unit by removing the "packing" 
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cover and placing a thumb or finger on pU,en 15. PID can be configured ,o 
automatically star. ,he enroUmen. routine with this action. " 
approximately 7 seconds. The resultant template is stored m memory 20. .d a b, 
P,D 6 is configured to enable a user to enroll one fmger on each hand so that, .f 
the user injures the finger they usually use for verification, an alternate image ts 

Emollment preferably permits the user several attempts to check and test the 
operation on the verify. Instructions and cueries would be indicated, for example, 
by display 50 in this mode (see FIG. 4A,. Until the user accepts <h-— 
I unit will not transmit signals in any way but will allow any number of attempts 
,o re-enroll and verify (test) the operation. Once commined there is no gomg bacL 

" '*"lt the emoUment is be stored on a removable smart card 54 (see FIG. 4A) 
along with the ID code and private encryption key files, titese would no, be 
accessible to other devices. It allows users to swap their PID 6 and retam .he,r 
enrolled identifying data on sman card 54. while using other PIDs 6. Thts ts *e 
same process used in digital portable telephones today. A user can take tite SIM 
card out of the telephone and swap phones without any security .ssues. 

Verification is carried ou, when a user places his finger on platen 15. or 
presses a verify buUon if included in PID 6. In the embodiment il— m nO. 
4A the verify button can be a d«licated bunon, such as tite * button 55, or could 
be "any otiter button or sequence of buttons. Each time the user places hts or her 
finger on platen 15 (or presses tite verify button and places their finger on platen 
,5) the o^cs unit 12 create a fingerprim signal indicative of ^ fingerpr.nt tmage 
of the user-s finger on platen .5. The fingerprint signal is compared to *e stored 
fingerprim template. If the two are significanUy similar. U« user's identity .s 
verified to be tite enrolled person. Verification takes about 1 second or less once 
the fingerprim template has been retrieved from storage. The user's flngerprmt . 
always verified witi, the fingerprint template to allow the use of tite encrypuon key. 

Ih programmable FID'S, verification for individual users can be set at 
various fl^shold levels to account for users who may have very fine, worn or 
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damaged fingers. In this event the ease of use can be enhanced by reducing their 
verification threshold. Verification threshold can be set at the time of enrollment. 

Once the owner or person controUing the unit is enrolled, the unit can then 
be "registered" with numerous organizations. The host organization is only 
5 interested in knowing the ID code and the public encryption key. 

The operation of security system 2 illustrated in FIG. 1 is different from the 
operation of security system 2A illustrated in FIG. 2. The operation of the 
embodiment illustrated in FIG. 1 will be described first. 

In the first embodiment illustrated in FIG. 1, each of PID 6 and host facility 
10 4 include transmit and receive functions. A communication from PID 6 to host 

system 30 is encrypted according to an encryption algorithm that employs a private 
key in encrypting and a public key to decrypt. The public encryption key is 
associated with PID 6 and therefore also with the enrolled person. The private 
encryption key is stored or loaded into PID 6 at registration time or at manufacture. 
15 When a user registers with each host system 30, the user provides the user's ID 

code and public key to host facility 4 as part of the user's account record. The 
public key can be stored by the host system. Alternatively, the user provides the 
public key to a central authority (trusted third party 39) with which host system 30 
can communicate. 

20 Referring now to FIG. 7, a user of PID 6 approaches host facility 4, e.g., 

an ATM (100). As PID 6 reaches the range of the host facility's receiver module 
38, the microprocessor is "powered up." The user may have to select a 
transmission mode that matches that of host system 30, if more than one 
transmission mode is available on PID 6. Processor circuit 1 8 causes transmitter 

25 module 28 to transmit the ID code signal without encryption (102). This is 

received by host receiver module 38 and passed on to host processing unit 32 
(104). Host processing unit 32 verifies that the received ID code signal represents 
a registered ID code (106). If the verification fails, then the access process ends 
(108). If the ID code is verified, then the account or user information is located, 

30 including the public encryption key associated with the registered ID code (110). 

The public encryption key may have to be retrieved fi-om a remote source, such as 
a central authority. A large random number is also generated by host processing 
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a random number signal indicative of U.e randon, number .o P.D 6 M). 
Receiver n,odule 26 passes *e random number signal .o processmg «n« 16 (116). 

•<• ,.^«n M 1 81 If *c verification fails, the process ends 
PID 6 performs a user verification (118). ll uic ve 

(108). Alterr^tively, PID 6 can display a prompt to try again. If the user s 
Ltity is successfully verified as a match with the enrolled person based upon a 
comparison of the suited fingerprint template and a fingerprint image signal 
geneLed when the user places his fmger o. platen .5. the private enco-ption icey 
associated with P,D 6 is used to enci.p. the random number according to ^ 
encryption algorism, (.20). P™g -it .6 causes tran^t^ module 2 to 
transmit a signal representing the encryp^d random number to host sys,«n 30 
022), where host processing unit 32 uses the public encryption key to decrypt *e 
encrypted random number (124). Host processing unit 32 then determines if the 
Tee^^t^ random number matches the random number (.26). If this is succ^^ul, 
thence user is granted access to the host facility (.28). If -his verifl^tion fai^^ 
*e user is denied access (108). The step of verifying the identity of the user with 
the biometrics (1,8) can be performed a. other junctures of the process, ^ch as 
prior to transmitting the ID code signal (102), however, it must be carried 
before encrypting the random number (120). ., „ „i,h 

Hardware for host system 30 can include a small communicauon unit 8 with 
a sensor such as an RF antemia. Processor circuit 34 can include a CPU to 
~ random number, to verity the ID code received ftom P.D 6, to decrypt 
L encrypted random numb, reived from PID 6. and U, compare the decrypted 
random number with the earlier generated random number. 

AS these transmissions are random, there is no possibility of seanmng or 
tracldng the codes other than to find the original ID code, which is effecUvely of 

use. The random number generators are such that they will always produce 

unique codes. 

,f a host system 30. such as a bank, a store, or a credit card company, 
implements this system, it would have the users register by presenting themselves 
,„ith their PID 6 and die required personal identification papers, which ,s no 
aifferen. flian current methods of obtaining a bank card «> access accounts with an 
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ATM. The bank or other host system 30 would ask the user to complete a verify 
on their PID 6 and read the ID code and test the send and receive of the encryption 
codes. This would establish the public key with the bank and confirm the private 
key in PID 6. The user is now ready to use the system. Note that the bank does 
not have the user's fingerprint template— it only has the ID code and the public 
encryption key. Therefore there is no privacy issue regarding release of the user's 
fingerprint template. 

After the user registers, verification is as described above. From the 
bank's point of view, the ATM (for example) commences normal operation. The 
user, instead of entering a bank card and a personal identification number (PIN), 
may simply press a verify pad or button on their PID 6 while placing their finger 
on platen 15. The ATM receiver reads the ID code, and if the code is valid 
generates a large random number, and transmits the number to the user's PID 6. If 
the validation is successful, PID 6 then encrypts the random number using the 
private encryption key according to the encryption algorithm, and transmits the 
result back. The bank system checks the result using the public encryption key and 
confirms the correct identity of the user. The transaction proceeds. 

The bank's ATM will typically be connected to the Bank central system via 
network 42. Network 42 can be used for transmitting signals between the ATM 
and the bank central system where the CPU and data bases may be located. 

The private encryption key can only be used after a verify, host system 30 
knows the ID is correct as the key is imique to that user. Therefore, only that user 
could be carr) ing the reader. The key may well be installed during manufacture 
but only released after the unit is loaded with a template. 

In a second mode of operation, typically used in car alarm systems and the 
like, PID 6A is configured as shown in FIG. 2 to transmit, and host facility 4 A is 
configured to only receive. Receiver module 38 is a standard automobile or garage 
door type of installation. There is no special adaptation other than the required 
alarm or immobilizer installation. These systems include a "leam" mode, which is 
used to program in the new system. In learning a registering person's PID 6A, the 
host system 4A learns the ID code, the synchronization counter timing, and the 
encryption key of that PID 6A. This process is essentially the same as the learning 
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p,<_ ro. many c>^n. mode. ,=.,e door openers. c sys.e»s 

*°R!Lng .0 no. 8. .o oMa. access .0 hos. faciH.y .A, *= - -«va«s 
P.O 6A by p-acin, a finser on p.a.en .5. P.D 6A perfonns a «.r venf.a..o„ 
from *e — y stored f,n.erpnn. .empla. (200). .f .he ver.^ succ^^^ 
processing -urU ,6A causes encoder «A .o genera.e an encore (202). 
no. successM. *= process ends (204). The cncrypred s,gna, 
unencrypted ID code of PID 6. encrypted synchronization counter .nfonnatton and 
ITypted funCon hunon in— The encryption entpioys *e encry^uon 
Ty relnt in encoder 23A. Transmitter unit 28 then transtnits the encrypted 
%Z host facility 4A (206). Host facility 4A than passes the encrypte^^s.^. 

host processing unit 32A, which cheCs the ID code for a ntatch wtth the ffi 
J^J. registered user (20S). Typicai.y, there wii. be only a sntal. number of 
L for c. ioc. and garage door systems, and each may have « 
O code and encryption Key. K Utere is no match, then the process e^ 204, .f 
*ere is a match, host processing tmit 4A retrieves the .ored encr p on .e and 
decrypts «.e encrypted portion of the received encrypted stgnai 2,0). Ho« 
proLng unit then verifies that the synchronization counter mformauon m the 
::r.ed signa. m«ches s.ored synchronization count. informa.on m memory 3. 
S If *c synchronization counter information does not match the stored 
information, then the process ends (204). If fl» synchronization counter 

formation matches the stored information, then the user is gran^ ac^. to hos. 
facility 4A (2,4). The access granted is determined by ftmcfon button 

information contained in the encrypted signal. .o,„^Bv" or 

,„ both embodiments, the PID unit can be set in a low power Sta»iBy 

-Off function, or could be powered on by the action of pres^ng the pU«n^ 

There are a large number of alternative applications. For example, a hotel 
could employ the invention in a door lock security system. A hotel regtstran, 

I L his PID with the hotel. The hotel would identify the user's ID code 

:r: z aoo. a memb. of the ho.ei - -d^ — 

*u A^^r tn that PID and some other master PIU tor 
PID which would configure the door to that PIU ana 
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hotel staff. There would be no need for 3 hard wired communications system to 
each door unless central control is required. 

The biometric sensor 1 1 may include a direct contact device instead of an 
optic sensor unit 12. Direct contact capacitive chip fingerprint sensors can be 
5 obtained from SGS Thomson Microelectronics, of Phoenix Arizona, from 

Veridicom, Inc., of Santa Clara California, and from Harris Semiconductor, of 
Melbourne, Florida. A direct contact thermal sensor may also be used for 
fingerprint sensing. 

Other embodiments are within the scope of the claims. 

10 For example, referring to FIGS. lOA and lOB, a PID 300 is configured to 

identify a user of a vehicle, provide immobilization security for the vehicle, and to 
automatically maintain a log of vehicle travel information. PID 300 is configured 
as a hand-held device with a finger platen 301, a display 302, an input keypad 304, 
and an input/output port 306. Input/output port 306 plugs into an in-vehicle 

15 adaptor module 307 which couples PID 300 to the vehicle power system 308, the 

engine management computer 310 and a global positioning system (GPS) 312. 
Adaptor module 307 includes a unique identification number that relates to the 
registration details of the vehicle. To operate the vehicle, the user must first be 
enrolled in PID 300 and PID 300 must be inserted into adaptor module 307. To 

20 start the vehicle, the user must activate a start-up option on PID 300 and must 

press (or swipe) a finger against fmger platen 301. PID 300 extracts a 
representation of the user's fingerprint and compares the extracted information with 
a stored representation of the user's fingerprint. If the two fingerprint 
representations substantially match, PID 300 transmits a verification signal that 

25 enables the user to access the engine management system and operate the vehicle. 

After the user's identity has been verified, PID 300 begins to log trip information, 
including start time, vehicle location and trip log (map) information based on 
information received from GPS 312, vehicle speed and distance traveled. There is 
no need for the user to log travel information because all logging information is 

30 automated. The user may, however, enter additional information into PID 300 

through keypad 304. PID 300 is programmable. For example, PID 300 may be 
programmed to prompt the user to enter additional identification information at 
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different ,in,es during a ttip or a, preselected vehicle locations based upon signals 
received from GPS 312. PID 300 includes a transceiver (e.g.. an RF transcetver or 
a digiml cellular telephone transceiver) that enables the device to be interrogated 
remotely (e.g.. by devices located a. preselected vehicle checkpoint locations, such 
as the locations of existing highway monitoring cameras). 

Referring to FIG. 11, in another embodiment, a PID 320 is configured as a 
pocket-sized unit which may be clipped to a pocket 321 of a user's shirt and .s 
configured to provide access to a secure location. The housing of PID 320 
includes a pocket for holding a user identification card 325 (e.g., a photo ID card), 
pro 320 includes a finger platen 322. a notification light 324 (e.g.. a red light 
emittmg diode), a processor, and a receiver. When the receiver is located near 
(e g within about 0.5 meters) the transmitter of a host system which controls 
access to the secure location, the pro^r switches from a low power openttion 
(Standby or off mode) to a normal power operation and causes notification hght 
324 to flash, prompting the user to press (or swipe) a finger against finger platen 
322 PID 320 extracts a representation of the user's fingerprim and compares the 
extracted informafion with a stored representation of the user's fingerprtnt. If the 
two fingerprint representafions are sufficiently close. PID 320 transmits a 

veriflcafio. signal to the host system. Upon receipt of the verification signal, the 
host system grants access to the secure location and logs information relaung to the 
user and fime access was granted. PID 320 includes an RF transceiver wh,ch 
enables PID 320 to wirelessly receive enrollment information (e.g., add or remove 
users) and to set access codes for each of the enrolled users. 

Still other embodiments are whhin the scope of the claims. 
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1 . A portable, hand-held personal identification device for providing secure 
access to a host facility, comprising: 

5 a biometric sensor system capable of sensing a biometric trait of a 

user that is unique to the user and providing a biometric signal indicative thereof; 

a processing unit responsive to. the biometric signal, being adapted to 
compare the biometric signal with stored biometric data representative of the 
biometric trait of an enrolled person that is indicative of the identity of the enrolled 
10 person, and to provide a verification signal only if the biometric signal corresponds 

sufficiently to the biometric data to verify that the user is the enrolled person, 
wherein the verification signal is indicative of the enrolled person or the device; 
and 

a conununication unit, including a transmitter circuit, is adapted to 
15 transmit the verification signal to a remote host system. 

2. The personal identification device of claim 1, wherein the biometric 
sensor system includes a fingerprint sensor. 

20 3. The personal identification device of claim 2, wherein the fingerprint 

sensor includes a platen adapted for placing a finger thereon. 

4. The personal identification device of claim 3, wherein the fingerprint 
sensor further includes an optical image sensor. 

25 

5. The personal identification device of claim 1, wherein the biometric 
sensor system includes an optical image sensor. 

6. The personal identification deyice of claim 5, wherein the optical image 
30 sensor comprises a CMOS chip. 
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7 The personal identification device of claim 1, wherein the processm^ - 
unit includes a processor circuit, a memory and an encoder, wherein the memor> 
stores the biometric data, and wherein the verification signal comprises an 
encr>'pted signal encrypted by the encoder. 

8 The personal identification device of claim 7, wherein the encoder 
comprises an encoding circuit, and wherein the verification signal further compnses 
an ID code indicative of the enrolled person or the device. 

9 The personal identification device of claim 7, wherein the encoder 
comprises an encryption algorithm programmed into the processor, and wherem the 
encryption algorithm employs a private key indicative of the enrolled person or the 
device. 

10 The personal identification device of claim 9, wherein the 
communication unit further comprises a receiver circuit, wherein the memory 
further stores an ID code indicative of the enrolled person or the device, wherem 
the processor unit is further adapted to first cause the transmitter circuit to transmit 
an ID code signal indicative of the ID code to the host system, wherein the receiver 
circuit is adapted to receive a host response signal transmitted by the host system m 
response to the ID code signal, and wherein the processor unit employs the 
encryption algorithm and the private key to encrypt the host response signal to 
create the verification signal, and causes the transmitter circuit to transmit the 
verification signal to the host system only if the biometric signal corresponds 
sufficiently to the biometric data to verify that the user is the enrolled person. 

1 1 The personal identification device of claim 7, wherein the memory is 
located in a removable plug-in module, the personal identification device fiirther 
comprising a socket adapted to receive the module. 
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12. The personal identification device of claim 1, wherein the 
communication unit further includes a receiving circuit being"adapted to receive a 
host response signal from the host system. 

5 13. The personal identification device of claim 1, wherein the 

communication unit is adapted for remote communication with the host system via 
a wireless communication medium. 

14. The personal identification device of claim 1, further comprising a 

10 display. 

15. The personal identification device of claim 14, further comprising a 

keypad. 



15 16. The personal identification device of claim 1, 

wherein the biometric sensor system includes a fingerprint sensor and 
wherein the biometric trait is a fingerprint; 

wherein the communication unit further comprises a receiver circuit adapted 
to receive signals transmitted by the host system; 
20 wherein the processing unit includes: 

memory for storing an ID code associated only with the device, a 
personal encryption key associated only with the device, and the biometric data; 

a processor circuit adapted to encrypt the host response signal 
according to an encryption algorithm employing the personal encryption key; 
25 wherein the processing unit is further adapted to first cause the transmitter 

circuit to transmit an ID code signal indicative of the ID code to the host system, 
wherein the receiver circuit is adapted to receive a host response signal transmitted 
by the host system in response to the ID code signal, and to employ the encryption 
algorithm and the private encryption key to create the verification signal by 
30 encrypting a host response signal received by the receiver circuit fi-om the host 

system in response to the ID code signal. 
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17 The personal identification device of claim 16, wherein the memory is 
located in a removable plug-in module, the personal identification device further 
comprising a socket adapted to receive the module. 

18. A portable, hand-held personal identification device for providing 
secure access to a host facility, comprising: 
a housing; 

a fingerprint sensor system capable of sensing a fingerprint of a user and 
providing a fingerprint signal indicative thereof, the fingerprim sensor system 
including a platen on a surface of the housing adapted to receive a finger; 

a communication unit in the housing being adapted for wireless 
communication with a separate host system, including a transmitting circuit and a 

receiving circuit; and 

a slot in the hot^ng for receiving a smart card tl«t includes a memory. 

19 The personal identification device of claim 18, in combination with the 
smart card, wherein the memory in the smart card stores a fmgerprim template 
representative of the fmgerprim of an enrolled person, and an ID code and a 
personal encryption key being associated with the device. whe«in the processing 
circuit is adapted to cause the ID code signal ftom memory to be transmiUed by tire 
transmitting circuit, and wherein the processing circuit is further adapted to cause a 
host response signal received by the receiving circuit signal from the host system m 
response to the ID code signal to be encrypted according an enc^tion algonthm 
employing the personal encryption key ».d to cause the encrypted host response 
25 signal to be transmitted by the transmitting circuit only if the fmgerprin. s.gnal 

correspond, sufficiently to the fmgerprin. template to verify that the user is the 
registered person. 

20. The personal identification device of claim .1 8, further comprising an 
30 alphanumeric display. 
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21. The personal identification device of claim 20, further comprising a 
keypad for inputting data. 

22. A method of providing secure access to a host facilit>% comprising: 
5 registering one or more persons with the host facility, including storing a 

unique ID code and a public encryption key for each registered person; 

receiving a first transmission comprising a first user, signal at the host 
facility; 

generating and then transmitting a random number signal only if the first 
10 user signal represents one of the stored ID codes; 

receiving a second transmission comprising a second user signal at the host 
facility; 

decrypting the second user signal with the public encryption key associated 
with the registered person who is also associated with the stored ID code 
15 represented by the first user signal; and 

providing access to the host facility only if the decrypted second user signal 
represents the random number. 

23. A method of providing access to a secure host facility only to 
20 registered persons, comprising: 

registering one or more registered persons with the host system, wherein 
registering each registered person includes storing an ID code associated only with 
a portable hand-held device under the control of that registered person; 

transmitting an ID code signal from a portable hand-held device to a facility 
25 of the host system, wherein the ID code signal represents an ID code associated 

with the transmitting device; 

generating, at the host facility, a random number signal representing a 
random number in response to the ID code signal only if the ID code signal is 
representative of the ID code of the device controlled by one of the registered 
30 persons; 
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.meving. wi.h *e ho. a public key associated wi* *= one of .he 

..gistered persons only if .he .1. code signal is .epresenutive of *e ID code of *e 
one the device controlled by the one of the registered persons; 

transmiuing .he random number signal from the host facility to the 

transmitting device; . 

receiving the random number signal v,ith the transmimng device; 

generating a user fmgerprint signal representing a fmgerprim m«ge of a 
user's fmger being placed on a platen of the transminingdevce; 

comparing, with the transmitting device, the user fingerprint srgnal to a 
fingerprint template stored in the transmitUng device, the fingerprint template 
Jrelting a fingerprint image of a person who is ensiled with the — ng 

device; . . , . ^ 

encrypting the random number signal with the transmmmg dev.ce, the 
random number signal being encrypted according to an encryption algortthm 
employing a private key associated only with the transmitting dev.ce; 

tlmitfing the encrypted random number signal from flte transm.»ng 
device to the host facility only if the finge.print image represented ^^^^ 
fingerprint signal cor^nds sufficiently to .he fingerprint image represented by 
U„ fingerprint «mplate to verify that the user is the enrolled person; 

decrypting the encrypted random numb« signal with the host system, 
including employing the retrieved public key; and 

proviling the user access «, the host facility only if the decrypted encrypted 
random number signal represents the random number. 

24. The me*od of claim 23, wherein retrieving the public key includes 
retrieving the public key from a trusted third party. 

25 The method of claim 23. wherein .ransmining the ID code signal, 
transmitting the random number signal, and transmining the encrypted random 
number signal each includes uansmitting via a wireless «ss.o„. 
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26. The method of claim 23, wherein transmitting the ID code signal, 
transmitting the random number signal, and transmitting the encrypted random 
number signal each includes transmitting via at least one of a modem, a cable 
access TV line, and a computer conununication medium. 

27. A method of providing a secure function at a host facility only to a 
registered person, comprising: 

registering a person with the host facility by storing an ID code associated 
only with a portable registered device controlled by the registered person, learning 
a synchronization coimter of the registered device, storing an encryption key 
associated with the registered device and associatmg the encryption key of the 
registered device with the stored ID code; 

generating a user fingerprint signal representing a fingerprint image of a 
user's finger being placed on a platen of a portable user device; 

comparing, vnth the user device, the user fingerprint signal to a fingerprint, 
template stored in the user device, the fingerprint template representing a 
fingerprint image of an enrolled person who is enrolled wdth the user device; 

generating an access signal v^th the user device only if the fingerprint 
image represented by the user fingerprint signal corresponds sufficiently to the 
fingerprint image represented by the fingerprint template to verify that the user is 
the enrolled person, the access signal comprising an ID code associated only with 
the user device, button press information representing a requested function, and 
encrypted data encrypted with an encryption key associated with the user device, 
the encrypted data including a synchronization counter associated with the user 
device; 

transmitting the access signal fi-om the user device to the host facilit>'; 

determining, with the host facility, if the ID code in the access signal 
matches the stored ID code; 

retrieving the encryption key of the registered device if the match is 
successfiil; 

employing the encryption key of the registered device to decrypt the 
encrypted data and determine the synchronization counter of the user device; 
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comparing the synchronization counter of the user device w.th the 
svnchromzation counter of the registered device; 

providing the requested function represented by the button press data only .f 
the synchronization counter of the user device matches the synchronizaUon counter 
5 of the registered device. 

28 A method of accessing a secure host fecility, comprising: 

^nsing a biometric trait of a user that is unique to a user with a bi„metr.c 

system of a portable device, and providing a biometr,c signa, indicat.vc of 

10 the biometric trait; -.u ot^.<.H 

comparing, with the portable device, the biometric s.gna, w,th stor d 
biometric dau representative of the biometric Uait of an enrolled person that ,s 
indicative of the identity of the enrolled person; 

providing a verifcation signal only if the biometric signal corresponds 
sufficiently to the biometric data to verify that the user is the enrolled person; and 
" J^itting d,e verification signal and ^ ID code signal to a^ote ho. 

.ystem. v^herein the .D code signal is indicative of an ,D code assocated on, w,th 
L ponable device, and wherein the bos, system provides access to the secu^ 
faciHty in response to the verification signal only if host facility d~s that 
20 persona, device associated with the ID code belongs to a registered person. 

29 A personal identification system, comprising: 

a biometric sensor configured to extract a represe«ation of a biometric tra,t 

„ ' ^processor configured to verity the user's idenUty based upon a «,mparison 

of a repr^entation of a biometric trait extracted from a user with a stored 
representation of the biometric trait; and . . ^. .. 

a transmitter configured to transmit a verification signal .nd,caOve of a 
successful verification of the user's identity. 

30 The system of claim 29, wherein the processor is configured to 
process signals received from a global positioning system (GPS) recover. 
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3 1 . The system of claim 30, wherein the processor is configured to 
derive trip information from the signals received from the GPS receiver. 

32. The system of claim 31, v^'herein the trip information includes the 
location of the GPS receiver. 

33. The s>'stem of claim 32, wherein the processor is programmable to 
prompt the user for additional verification information when the GPS receiver is 
positioned at a particular location. 

.34. The system of claim 29, further comprising a user input configured 
to enable a user to enter trip information, and wherein the processor is configured 
to process information received from the user. 

35. The system of claim 29, wherein the transmitter is further configured 
to transmit signals representative of stored trip information. 

36. The system of claim 29, wherein the biometric sensor, the processor, 
and the transmitter are housed within a portable, hand-held housing. 

37. The system of claim 36, further comprising an input device mounted 
inside a vehicle and coupled to the vehicle's power system, and wherein the input 
device is adapted to receive the verification signal from the transmitter and to 
enable the user to turn on the vehicle only upon receipt of the verification signal. 

38. The system of claim 36, wherein the housing has the form of a 
pocket-sized security badge. 

39. The system of claim 36, wherein the housing is configured to receive 
a graphical representation of the user. 
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40 The system of claim 29, further compr.. ng an automatic door 
locking device coupled to a vehicle door and adapted to unlock the door upon 
receipt of the verification signal. 

41 The system of claim 29, further comprising an automatic door 
locking device coupled to a vehicle trunk and adapted to unlock the trunk upon 
receipt of the verification signal. 

42 The system of claim 29, further comprising a receiver, and wherein 
*e processor is operable to switch the system from a low power operation to a 
normal power operation when the receiver receives a power-up signal from a host 

system. 

43. The system of claim 29, further comprising a memory configured to 
1 5 store the representation of the biometric trait. 

44 The system of claim 44, wherein the memory is housed within a 
portable housing separable from the biometric sensor, processor and transmttter. 
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45. The system of claim 29, wherein the biometric sensor is configured 
to extract a representation of the user's fmgerprint. 
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